A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/



Included on the Tech 100 for Scotland

Very happy that I have had something published in the Holyrood Tech 100 magazine! I have included the original piece below, but highly recommend viewing it on their site!

2016 has been notable for some fantastic events, like Andy Murray winning his second Wimbledon title and, of course, the Rio Olympics.

But it has also been notable for a remarkable number of malicious events, for example, the sheer volume and scale of the security breaches suffered by some of the world’s most high-profile firms.

Disturbingly, some of the breaches that made the headlines actually occurred months or even years earlier but were only discovered recently.

Today’s cyber security technologies and processes are designed to flag up anomalies and causes for concern in real time, so these delays in identifying breaches shouldn’t be happening in 2016.

Unfortunately, this trend is unlikely to cease without considerable investment in new tools to detect and adapt to these mounting threats.

It doesn’t take an expert to predict that cyber attacks are set to become even more commonplace during 2017 and the types of threats – external attacks, malicious insider attacks or fraud – even more sophisticated.

In this environment, legacy passive security monitoring is no longer fit for purpose.

Fortunately, these depressing newspaper headlines have kickstarted a counter movement. Business leaders are waking up to the very real risks to the company bottom line and reputation, and are ready to take proactive steps to counter these threats.

In practice this means adopting a new, flexible cyber security strategy that uses big data to facilitate ‘always on’ monitoring, fast incident response and the ability to detect and respond to known, unknown and advanced threats.

During my time with ECS I have helped some of the UK’s largest businesses prepare themselves against cyber threats in this way.

For any business that has ‘better preparation against cyber threats’ on its list of New Year’s resolutions, here’s a handy checklist:

  1.  Assume that your computer network – and all devices attached to that network – have been, or currently are, compromised. This will allow you to keep one step ahead of a would-be attacker because you’re operating with the assumption that you’re fighting an active threat, not some old computer virus that just happened to flag up on your antivirus software for the 1,000th time.
  2. Keep a log of everything: every email, every voicemail and every iteration of a customer database. This applies to all data sources and all data types (audio/video/text etc.). This is important because you can’t predict what data will be lost or altered in a breach. If you suffer a breach, you will need to bring back the entire history of your computer systems and network to find out what happened when and hopefully pinpoint the perpetrators. This becomes even more important when would-be perpetrators are intentionally encrypting data for either ransom or destruction. This is often unrecoverable, so back-ups are also for mitigation.
  3. Store all of your data in a big data security hub (e.g. a data lake or pool). This will make it much easier to assess any attempted and successful breaches by giving you the ability to search across all of your data and business silos in real time.

Gain valuable, contextual insights from all of your data by using machine learning and behavioural analytics.

These techniques automate most of the legwork and offer up a detailed analysis of information on users, attacks, context, time and location. This leads to much faster threat identification, investigation and response.

The amount of data involved in the steps above gives a clue to the importance of big data in the fight against data breaches.

And this focus on big data analysis also has another upside: it can be used by line of business managers to help them make more informed business decisions, decisions that have a positive effect on the bottom line.

A recent example involved a national retailer who already had data from its website coming into a big data platform to detect security incidents.

After investigating this data, a number of additional (and more business-relevant) use cases emerged and were subsequently developed.

These included fraud detection on the e-commerce part of the website, and tracking and reporting on user stories as they moved through the website.

This enabled the developers to see and track errors in real time before users started complaining on Twitter.

By automating the collection, processing, enrichment and presentation of all this data – and with the right tools and training – line of business personnel will be motivated to analyse any data relevant to their roles themselves, reducing the burden on the IT team.

This self-service model is the key to a mature, agile, data-driven business, enabling businesses to respond quickly to market changes and so gain competitive advantage.

In summary, today’s threat landscape means that no business should assume it is immune to a cyber attack. In fact every business should assume it has been compromised.

Being at least one step ahead by putting in place a range of proactive processes and measures that instantly alert businesses to potential threats is crucial. Big data platforms offer a solid, data-driven approach to these problems.

Harry McLaren is a security consultant for ECS and won the Best New Cyber Talent at the first Scottish Cyber Awards, held last month in Edinburgh

Original Publication: http://www.holyrood.com/articles/comment/tech-100-%E2%80%98today%E2%80%99s-threat-landscape-means-no-business-should-assume-it-immune-cyber 



Awarded ‘Best New Cyber Talent in Scotland’ at the first ever ‘Scottish Cyber Awards’

On Wednesday (16th November 2016) I had the privilege of attending Scotland’s first ‘Cyber Awards’ which were hosted at The Caledonian Hotel in Edinburgh. Having been nominated by my employer (ECS) for the category of ‘Best New Cyber Talent’ I was somewhat nervous being at such a well-attended event, which included many influential and great people throughout the computer security industry. Many familiar faces like Stu Hirst of Skyscanner and Bill Buchanan of Edinburgh University (both of whom were up for the same award!) were in attendance and it was interesting and somewhat inspiring to see how the computer security industry has been growing in Scotland.

The ‘Best New Cyber Talent’ category was the second to be announced, as it meant that once it was over I could enjoy the evening without feeling anxious about getting on stage and winning or not in front of 200 peers (which included ECS’s Operations Manager and my partner). There was a short speech from the award sponsor, Sophos (thanks guys!) and then, finally, the moment came and they said that the award had my name on it. I was a bit shell shocked, not only were my fellow nominee’s fantastic candidates for the award, but I guess part of me just assumed I wouldn’t win. The feeling slowly spread over me throughout the night until after an hour or so, I just started grinning.

I had won a national award and no matter how many times a day I sometimes feel out of my depth, no matter how many areas I still should learn and no matter my own self-doubt, I deserved to be nominated and to win. The only reason I could convince myself of this simple fact, of being deserving, is that the judges panel, organisers and managing director at my company could not all be wrong. I couldn’t have ‘deceived’ them all into believing I was good enough for this award. They saw something which I often find hard seeing in myself and that is the best part of this experience for me, the simple truth that no matter what areas of my brain tell me the opposite, I am a deserving in my field and I’m so very proud it has been recognised in the form of this nomination and award.

Thanks to Darren Brogan for taking so many pictures of the event (including the featured image of this post)!

Edit: Stu Hirst posted a great write up on his feelings of being nominated for ‘Cyber Evangelist of the Year’ and how much of an ‘imposter’ he sometimes feels. This really summed up my own feelings and I so happy he shared these feeling so publicly.


“Best New Cyber Talent in Scotland”




Splunk’s Major Announcements at .conf 2016

This years’ .conf event is currently being hosted by Splunk at Disney in the US. So far the have been some awesome announcements and below are the highlights with links to the Splunk Blogs which go into them in more detail.

  • Introducing Splunk Enterprise 6.5 – Machine Learning and Simplified Data Analysis Open New Vistas
    • Splunk Enterprise has long offered a strong array of ML commands like anomaly detection, outlier, predict and cluster that use fixed algorithms to do their work – no ML expertise required. Today, we formally introduced the Splunk ML Toolkit (v2.0 actually) –  a guided workbench and SPL extensions to help you create and operationalize your own custom analytics based on your choice of algorithms.
    • Next up is Tables, a new feature that lets you create and analyze tabular data views without using SPL. Tables will make it easier for anyone to work with Splunk – even Splunk specialists – and will let you leverage your data into whole new uses and users.
    • Hadoop Data Roll give you another way to reduce historical data storage costs while keeping full search capability. It’s now a free option of Splunk Enterprise that lets you save up to 80% storage capacity by leveraging your data lake for storing seldom-accessed data.
  • What’s new in Splunk IT Service Intelligence
    • ITSI is focused on improving the signal to noise ratio with IT monitoring, reducing the effort wasted sifting through vast numbers of event data by filtering, tagging and sorting events based on priority. You can quickly tag, index, enrich and add context to events in ITSI to make event management more informative and more actionable.
    • Splunk ITSI Modules include built-in data access and pre-packaged dashboards, to deliver deep, service-oriented insights into individual technology domains like application servers, databases, load balancers, operating systems, virtualization, web servers, storage, cloud services and mobile end user experience.
  • Enterprise Security 4.5 – Use Analytics-Driven Decision Making and Automation to Improve Threat Detection and Operational Efficiency
    • It provides the ability to register and configure automated or assisted response actions enabling you to effectively leverage your existing your security products, Firewall, IDS/IPS, Endpoint, Threat Intelligence, Incident Response, Identity, with Splunk ES as your central security intelligence platform.
    • You can use UI wizards and dashboards for specifying the nature of actions, categorizing actions, receive feedback on status of actions and results across a wide range set of entities.
    • Glass Tables includes a visual analytics framework that uses key security metrics to create custom visualizations. Glass Tables has two modes, viz., Edit mode and View mode. The Glass Tables edit mode provides a intuitive visual editor, where you can create and modify visualizations, including security metrics searches based on data models and correlation searches. The Glass Tables View mode lets you see any visualization, which includes search results for security metrics based on data models and ad hoc searches.
  • Introducing Splunk UBA 3.0
    • Splunk UBA’s primary focus is to continue broadening its detection coverage and the latest release supports over forty machine learning models. The models are categorized as either streaming or batch. Streaming models analyze data in real-time, whereas batch models process data or compute aggregates at a scheduled interval; an example of a batch model would be as follows: identify any outliers on Active Directory data with Peer Group in consideration (Active Directory Markov-Chain Correlation Model).
    • Splunk UBA 2.3 (released at RSA) delivered the ability to write custom threats, but with Splunk UBA 3.0, customer threat detection capabilities were elevated to the next level. Not only are new threat scenarios delivered via content subscription, our threat research team delivers blue prints of new use-cases that can be customized to address customer’s needs. All-in-all, twelve to over twenty out-of-the-box threat scenarios are now available at a customer’s finger tips. These new threat scenarios range from detecting low-and-slow attacks to detecting aggressive attacks such as Remote Account Take Over with Data Exfiltration.

That’s the big ones from this year’s .conf! I encourage you to check Social Media and/or their Blog if you would like to see what other news is coming this week from Splunk!